Earlier this year, Gartner predicted a fundamental shift in enterprise security priorities from attack prevention, to detection and response. Gartner also said that because the industry has been fixated on prevention for so long, there is an acute skills shortage in area of detection and response. “Skill sets are scarce and, therefore, remain at a premium, leading organizations to seek external help from security consultants, managed security service providers (MSSPs) and outsourcers,” Gartner said.
This, obviously, opens a major opportunity for MSSPs. It also brings with it a huge challenge, because the onus is on MSSPs to accumulate the right skills, and to deploy people in a way where those skills are put to optimal use. The latter half of this equation is a vexing challenge today, because many employees are not in the position to use their skills to maximum effect. Nowhere is this more apparent than in incident response teams, where employees must wade through mountains of alerts, most of them false positives, before they can actually do something of value for clients.
A recent Cloud Security Alliance survey found that SOCs report a 110:1 ratio of anomalous events detected to actual threats. In other words, less than 1% of the events being flagged merit attention, and the problem is only getting worse.
The approach du jour to this issue is to “throw more bodies at the problem.” But this brute force approach ties the hands of operations managers, because they are forced to make a choice between expense and effectiveness. They can either add headcount for manual alert investigation, which is expensive; or they can tweak infrastructure to generate fewer alerts, which creates vulnerabilities and increases the likelihood of bad things happening to clients. This “Alert Tyranny” approach to operations impairs financial performance and the ability to deliver high quality services to clients.
Don’t expect the alert overload problem to be solved by the old forms of prevention, folks. Their products are fundamentally geared to detecting and alerting on anomalies, so they will always be the source of the problem, not the solution. Likewise, automating detection and response with security orchestration is a good idea – but as long as there is a 110:1 ratio of anomalous events to actual threats, this amounts to automating a process that’s a waste of time more than 99% of the time. It would be far more productive to actually fix the process.
The opportunity could not be clearer – enterprises cannot keep up with their detection and response requirements and must rely on MSSPs. They are, in effect, handing off the alert overload problem to MSSPs. MSSPs have a choice – they can pay armies of incident response people for the privilege of taking on their clients’ collective alert-overload pain; or they can be like today’s innovators and create smart new ways to reduce or eliminate the alert overload problem, which will free them to be more effective, profitable and, ultimately, indispensable to clients.